"Yngve Nysaeter Pettersen (Developer, Opera Software A/S)"
> On Sun, 7 Dec 2008 11:08:41 -0700, gene@xxxxxxxx wrote:
> >gene@xxxxxxxx wrote:
> >> I had a thread going on VideoLan's (VLC Player) forum,
> >> forum.videolan.org, and everytime I used the link to a reply in Opera
> >> it requests approval of a certificate (CAcert). The warning is that the
> >> cert chain is incomplete and the signer(s) are not registered. In
> >> asking about it, I was sent to the CAcert site, which among other
> >> things lists the browsers that include this certification; Opera is not
> >> among them (http://wiki.cacert.org/wiki/InclusionStatus). Why is
> >> that? I hadn't heard prior to this of end users having to register to
> >> get certificates.
> >In looking at that list again and reading around more, it seems like
> >there are a number of hurdles and costs for browsers to jump to get
> >CAcert, and Mozilla/Firefox's status is still up in the air. Does that
> >mean for CAcert-affiliated sites, individual Opera users will have to
> >run the certification approval each time indefinitely?
> You should only get the warning once per server per session of Opera, although
> you can pin the certificate for that server (option on the middle tab of the
> dialog in 9.50+ if you decide you trust the site).
> There are quite a few hoops for the CAs to jump through to get into a browser
> root program. See http://www.opera.com/docs/ca/ for more.
> If decide you trust CACert's certificate issuing policies, and want to accept
> ALL the certificate they have issued, you can install their Root and Class 3
> certificates yourself for your profile (remember to click "View" and uncheck
> "Warn about this certificate"). As I have not, as mentioned, studied their
> policies, nor know of any results of a WebTrust or equivalent ETSI audit, I
> only say you need to look carefully at those documents.
> Please note that I have recently become aware of two problems with CAcert:
> Neither of their revocations services work with Opera 9.50+. The OCSP server
> does not comply with the RFC's requirements (this is easy to fix serverside;
> just upgrade the server), and the CRL is (unnecessarily) hosted on a HTTPS
> server requiring the CRL that we are trying to fetch first, causing a Catch-22
> situation (this can only be fixed with a reissue of their Root; I can also
> alleviate it to some extent but that requires recoding the CRL handling).
> of these two problems will cause you to not see a padlock under any
> with CAcert issued certificates with Opera.
Thanks to both of you for answers.